As Ryan points out, root store operators enforce the BRs in different ways.

Ryan wrote:
> (Writing in an official capacity for the Google/Chrome Root Program)
> <snip>
> Our expectation is that CAs will be filing incident reports for:
> 1) The failure to include and document as in-scope within the relevant
> audit
> 2) If the CA fails to revoke within the time period required by the
> BRs,
> the failure to revoke within the BR time period
> As two separate reports.
> We encourage CAs to carefully examine these reports and provide
> updates as
> to their planned revocations.

My understanding is that Google’s root store expectations differ from Mozilla’s root store expectations regarding handling of non-technically-constrained intermediate certificates missing BR audits in 2 ways.

1) Mozilla is currently okay with the incident report for not revoking the non-BR-audited non-technically-constrained intermediate certificates to be handled in the same Bugzilla bug as the missing-audits incident report. However, I interpret Ryan’s message to mean that Google would like those to be two separate Bugzilla Bugs.

Note: I will add a report to to list all of the intermediate certificates that have been added to OneCRL and their revocation status. This will enable the CA Community to identify which certificates have been added to OneCRL but are not actually revoked.

2) From Mozilla’s perspective, adding a non-technically-constrained intermediate certificate to Mozilla’s OneCRL (only consumed by Firefox) means that the BRs become out of scope for that certificate. So Mozilla does not require that certificate to be revoked.

dev-security-policy mailing list

Reply via email to